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1.  \  Introduction 

In  this  paper  we  study  the  expressive  power  of  nondeterminism  in 
dynamic  logic.  In  particular,  we  show  that  fir>t  order  regular  dynamic  logic 
without  equality  (hereafter  abbreviated  DL)  is  more  expressive  than  its 
deterministic  counterpart  (DDL).  This  result  has  already  been  shown  for  the 
quantifier-free  case  [MW],  and  for  the  propositional  e;>  [  :RJ  German  and 

Tiuryn  have  recently  extended  the  present  result  to  the  case  with  equality.  By 
contrast,  Meyer  and  Tiuryn  have  shown  in  [Ml]  that  in  the  r.e.  case, 
deterministic  and  nondeterministic  dynamic  logic  coincide. 

The  proof  hinges  on  showing  that  in  a  precise  sense  a  deterministic 
regular  program  cannot  search  a  full  binary  tree.  Because  of  this,  the  truth 
of  a  first-order  DDL  formula,  even  with  first-order  quantification,  cannot 
depend  on  every  value  in  a  full  binary  tree.  From  this  it  will  follow  that  DDL 
is  less  expressive  than  DL.  The  kernel  of  the  proof  presented  here  can  already 
be  found  in  [HR]. 
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2. 


Syntax  and  Semantics 
We  give  a  brief  description  of  the  syntax  and  semantics  of  DL  and  DDL. 
The  reader  is  referred  to  [Har]  for  more  details. 

Syntax Just  as  in  first-order  predicate  calculus,  we  have  predicate  symbols 
P,  Q,  ...  and  function  symbols  f,  g,  ...,  each  with  an  associated  arity, 
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variables  x,  y,  z,  xq,  xj,  and  logical  symbols  3,  V,  (,  and  ).  DL 
also  uses  a  few  special  symbols  in  programs,  namely  =,  •„  *,  U,  ?,  and  O 
(pronounce  "diamond"). 

Terms  are  formed  exactly  as  in  first-order  predicate  calculus. 
Formulas  and  programs  are  defined  inductively. 

(a)  Any  formula  of  first-order  predicate  calculus  is  a  formula. 

(b)  <variable>  =  <term>  is  a  (basic)  program. 

(c)  If  p,  q  are  formulas,  and  a,  b  are  programs,  then 

pVq,  “’P,  3xp,  and  <a>p  are  formulas,  and 
a;b,  a*Jb,  and  a*  are  programs. 

(d)  If  p  is  a  quantifier-free  formula  of  predicate  calculus,  p?  is  a 
program. 

V  as  an  abbreviation  for  similarly,  []  (pronounced  "box")  is 
an  abbreviation  for  -*0"\ 

Semantics--  A  stale  (I,s)  consists  of  two  parts:  I  is  a  structure  which 
consists  of  a  domain,  dom(I),  and  an  interpretation  of  all  the  function  and 
predicate  symbols  over  this  domain,  and  s  is  a  valuation  which  assigns  values 
in  the  domain  to  all  the  variables. 

Given  a  structure  I,  pj  is  a  mapping  from  programs  to  binary 
relations  on  valuations  which  describes  the  input-output  behavior  of  programs 
in  structure  I,  ami  xj  is  a  mapping  from  foimulas  to  sets  of  valuations, 
the  ones  valuations  when  the  formulas  is  "true".  We  usually  write  (I,s)  )=  p 
instead  of  s  €  *j(p).  We  define  both  pj  and  inductively. 

(a)  For  p  a  formula  of  first-order  predicate  calculus,  (I,s)  N  p  is 
defined  as  usual. 

(b)  For  basic  programs  of  the  form  x=t,  t  a  term,  Pj(xst)  = 
{(s,sCx/d])j  where  d  €  dom(I)  is  the  value  of  the  term  t  in  (I,s),  and  4x/d] 


/W ,?*«*. 

is  the  valuation  such  that  s[x/d](y)  =  s(y)  if  y  /  x  and  s[x/d](x)  =  d}  / 

(c)  For  programs  a,  b  and  formula  p  /-  -isCT; ' -■x  >•. 


P^aUb)  =  pj(a)  U  Pl(b)  /  - 

Pj(a;b)  =  Pj(a)*P|(b)  /  /va . . .  ; 

'I<a*>  =  Un>Wa")  ■  :'^V 

pj(p?)  =  |(s,s)}  (i,s)  *=  p)  j  n 

(d)  For  formulas  p,  q  and  program  a  /./ /  / 

(I,s)  1=  -,p  iff  (l,s)  tt  p 
(I,s)  t=  pVq  iff  (I,s)  b  p  or  (I,s)  1=  q 
(I,s)  t=  3xp  iff  for  some  d  €  dom(I)  (I,s[x/d])  t=  p 
(I,s)  1=  <a>p  iff  for  some  t  with  (s,t)  €  <>j(a)  (I,t)  1=  p. 
Nondeterminism  occurs  in  DL  through  the  constructs  *  and  U.  We  can 
eliminate  the  nondeterminism  by  allowing  *  and  U  to  appear  only  in  the  contexts 
p?;a  U  — »p?;b  and 
(p?;a)*pp?, 

which  we  abbreviate  respectively  as  if  p  then  a  else  b  fi  and  while  p  do  a  od. 
We  leave  it  to  the  reader  to  check  that  this  restriction  leaves  us  with  a 
deterministic  set  of  programs.  The  restricted  language  is  called  DDL. 
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3.  Motivation  from  the  Propositional  Case 

This  section  reviews  results  from  [HR]  which  provide  motivation  for  the 
main  result  in  this  paper.  While  it  does  provide  insight  into  the  ideas,  it 
can  be  skipped  without  loss  of  continuity.  We  presume  familiarity  with  the 
relevant  definitions  (see  [HR]  for  more  details). 

A  tree  model  is  one  whose  graph  is  a  tree.  A  tree  is  said  to  be 
sparse  if  for  some  polynomial  F,  there  are  <  Ftk)  nodes  at  depth  k.  In  [HR] 
it  was  shown  that  the  truth  of  a  formula  of  (strict)  deterministic  PDL  depends 


only  on  a  sparse  set  of  nodes  of  any  tree  model.  In  particular,  the  proof  of 
Theorem  4.12  of  [HR]  can  be  easily  modified  to  show  the  following: 

Theorem'.  Suppose  M  =  (S,ir,p)  is  a  tree  model  (where  n  assigns  meaning  to 
the  primitive  formulas,  and  p  assigns  meaning  to  the  primitive  programs)  and 
M,sq  t=  q,  where  q  is  an  SDPDL  formula.  Then  there  exists  a  sparse  subtree 
Sq  c  S,  such  that  for  any  M'  =  (S,w',p)  such  that  *'  and  *  agree  on 
(i.e.  w|Sq  =  ir]Sq)  we  have  M'.Sq  N  q. 

As  a  straightforward  application  of  this  theorem,  we  can  show  that 
SDPDL  is  less  expressive  than  PDL.  Let  p  be  the  formula  [(AUB)*]P,  and  let  M 
=  (S,ir,p)  be  the  binary  tree  model  pictured  below,  with  P  true  at  every  state: 


Clearly  M,Sq  1=  p.  But  suppose  p  was  equivalent  to  some  SDPDL  formula  q. 
Then  let  S^  c  S  be  the  sparse  subtree  of  the  previous  theorem.  Let  #'(P)  =  S^, 
and  let  M'  =  (S,ir',p).  Thus  ir]Sq  =  *|Sq,  so  by  the  theorem,  M'.Sq  1=  q. 

But  since  P  is  not  true  at  every  state  in  M',  we  have  M',sq  1=  _,p, 
contradicting  the  equivalence  of  p  and  q. 

The  point  here  is  that  we  can  always  "fool"  a  deterministic  formula  q 
which  is  supposed  to  be  equivalent  to  [(AUB)*]P  at  some  state  where  q  did  not 
look. 


4. 


DDL  is  less  expressive  than  DL 

By  analogy  to  the  formula  [(AUB)*]P  of  the  previous  section,  we 
consider  the  formula  [(xQ=fl[xQ)UxQ-g(xQ))*]P(xQ),  which  we  call  pQ. 

We  will  prove  the  following 

Theorem-,  pq  is  not  equivalent  to  any  formula  of  DDL 

Corollary.  DDL  is  less  expressive  than  DL. 

The  rest  of  this  paper  is  devoted  to  proving  this  theorem.  The 
structures  that  we  use  are  analogous  to  the  complete  binary  trees  of  the 
previous  section. 

Definition:  Let  2={0,1}  and  let  S  c  2*.  Then  Ig  is  the  structure  with 
dom(Ig)  =  2*  and  f,  g,  P  interpreted  as  flw)  =  wO,  g(w)  =  wl,  and  P(w)  iff 
w  i.  S.  (Thus  P(w)  holds  iff  w  is  not  an  element  of  S).  All  other  functions 
and  predicates  in  Ig  are  trivial;  that  is,  the  functions  are  projections  on 
the  first  variable,  and  the  predicates  are  identically  true.  In  most  of  our 
applications  below,  we  will  take  S  to  be  finite.  If  S  is  the  singleton 
consisting  of  w  €  I*,  we  write  Iw  instead  of  Ijwj. 

We  can  think  of  Ig  as  the  tree  pictured  below,  where  f  means  "go 
right"  an.,'  g  means  "go  left". 
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We  will  also  consider  auxiliary  structures  which  look  like  countably 
many  trees  of  the  form  Ig.  More  formally,  for  S*  =  define 

the  structure  Ig*  to  have  domain  X*xN,  with  f((w,i))=(wO,i), 
g((w,i))=(wl,i),  and  P((w,i))  iff  w  t  S'.  Again  all  other  functions  and 
predicates  are  trivial. 


Notation We  use  s,  sq,  sj,  ...  for  the  valuations  on  structures  of  the  form  Ig, 

and  t,  tQ,  tj,  ...  for  valuations  on  Ig*.  We  reserve  Sq  for  the  valuation 

which  takes  x-  to  \  (the  root  of  the  tree),  and  tQ  for  the  valuation  which 
takes  xj  to  (X,i)  (the  root  of  the  i^  tree). 

Definition:  Given  R  c  X*  (resp.  X**N),  let  R(n)  =  {w  €  Rj  }w|  <  n) 

(resp.  {(w,i)  €  R|  |wj  <  n}).  R  is  said  to  be  sparse  if  there  is  a 

polynomial  F  such  that  for  all  n,  |R(n)|  <  Fin). 


Our  method  of  proving  the  theorem  is  to  show  that  for  a  DDL  formula  q, 
there  is  a  sparse  set  R^  c  x*,  such  that  if  q  =  Pq,  then  for  all  w  t  R^, 

(Iw,Sq)  P  q,  which  of  course  is  a  contradiction  since  (Iw»sq)  P  "’Pq. 

We  proceed  through  a  series  of  four  lemmas.  The  first  shows  the  strong 
connections  between  the  structures  Ig  and  Ig*.  The  idea  is  that  since  we 
do  not  have  equality  in  the  language,  all  that  matters  about  a  state  is  the 
locations  in  the  tre<Ks)  where  P  does  not  hold  relative  to  the  values  given  to 
the  variables. 


Definition:  For  S  c  X*  and  w  €  X*,  let  w\S  =  {u|  wu  €  S). 

Lemma  /-.  Let  S*  =  (Sq.Sj^,  ..),  T*  =  (Tq.Tj/Tj,...).  Let  s  be  a  valuation  on 
Ig  with  s(xj)  =  Uj,  let  1 1  be  a  valuation  on  !S*  with  tj(Xj)  =  (Vj.jj),  and  let  tj 
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be  a  valuation  on  Iy»  with  t2(xp  s  ^wi»^^-  ^et  Q  ^  a  quantifier-free  DDL 
formula  with  free  variables  c  {xq,...^}.  Suppose  Uj\S  =  vj\Sj  (resp.  vj\Sj_  =  wj\T|j.) 
for  i  =  0,...,k.  Then  (Ig,s)  N  q  iff  Ug*,tj)  Is  q  (re$P-  d§*»t|)  Is  q  id  df-*,t2)  ^ 

Proof-  By  a  straightforward  induction  on  the  structure  of  formulas.  I 

Next,  we  want  to  show  that  without  loss  of  generality  we  can  make 
certain  special  assumptions  about  DDL  formulas  interpreted  over  these  structures. 

The  first  is  that  no  function  and  predicate  symbols  appear  other  than  f,  g,  and 
P.  This  follows  immediately  the  fact  that  all  other  functions  and  predicates 
get  a  trivial  interpretation  in  the  structures  Ig.  Secondly  we  can  assume 
that  all  basic  assignments  in  programs  (the  ones  of  the  form  x  ~  term)  are 
actually  of  the  form  xj  -  Xj,  Xj  =  ffxj),  or  Xj  *  g(xj),  since  any  assignment 
of  the  form  Xj  »  term  can  be  replaced  by  a  sequence  of  the  assignments  above; 
for  example,  xj  -  fl[g(x2))  can  be  replaced  by  (xj  »  x2;  xj  s  fixj);  xj  -  fixj)). 

Thirdly,  we  can  assume  that  the  argument  to  predicate  P  is  always  a  variable  Xj; 
for  example  while  P(Rxj))  do  a  od  can  be  replaced  by  x2  *  fixj);  while  P(x2) 
do  a;  x2  "  X|  od.  (We  must  be  careful  to  ensure  that  x2  is  a  fresh 
variable  which  does  not  appear  anywhere  else  in  the  DDL  formula.)  And  finally, 
we  can  assume  that  the  formula  is  of  the  form  Qixi02x2“ ‘^kxk^*  w^cre  ^ 
is  a  quantifier- free  DDL  formula,  and  Qj  is  either  V  or  3.  This  follows 
immediately  from  the  following 

Lemma  2-  If  y  does  not  appear  in  the  DDL  program  a  and  q  is  a  DDL  formula,  then 

(a)  Vy<a>q  a  <a>Vyq 

(b)  3y<a>q  a  <a>3yq 
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Proof.  We  will  prove  part  (a).  The  proof  of  (b)  is  similar  and  does  not 
require  a  to  be  deterministic. 

First  note  that  if  y  does  not  appear  in  a,  then  a  does  not  affect  the 
value  of  y  during  its  computation.  Thus  if  I  is  any  structure,  and  Sj,  $2 
are  any  valuations,  then  for  any  d  €  dom(I),  (sj^)  *  pj(a)  iff 
(s^CyAfl^C y/d])  €  pj(a).  Moreover,  since  a  is  deterministic,  if 
(sjty/dl.sj)  «  Pj(a),  then  we  must  have  S3  =  S2ty/d].  Thus  we  get 
(I,s)  t=  <a>Vyq 

iff  for  some  t,  (s,t)  €  pj(a)  and  (I,t)  *=  Vyq 

iff  for  some  t,  (s,t)  €  pj(a)  and  for  all  d  e  dom(I),  (I.tfy/d])  1=  q 

iff  for  all  d  €  dom(D,  (I, sty/d])  1=  <a>q 

iff  (I,s)  N  Vy<a>q  I 

For  the  next  two  lemmas  we  will  concentrate  on  quantifier-free  DDL 
formulas. 

Definition •  R  c  X*  is  said  to  set  q  for  S  at  s  iff  for  all  S'  such  that 
Rns  =  Rns',  we  have  (Ig,s)  1=  q  iff  (Ig<,s)  *=  q.  Thus  R  sets  q  for  S  at  s 
if  all  that  matters  for  the  truth  of  q  in  (Ig,s)  is  the  value  of  P  on  R.  We 
can  similarly  define  what  it  means  for  R  c  X**N  to  set  q  for  S*  at  t. 

Definition--  Let  4>m  be  the  set  of  sequences  S*  =  (Sq,  Sj,  S2,  ...)  such 
that  each  Sj  is  empty  or  is  the  singleton  {wjj  where  |wj|  <  m. 

Lemma  3 ■  Let  q  be  a  quantifier-free  formula  of  DDL. 

(a)  For  all  finite  S  c  X*,  and  all  valuations  s,  there  is  a  sparse  set  R„  Q  c 
which  sets  q  for  S  at  s.  Moreover,  |Rq  0  $(n)|  <  c^n  and  |Rq  w  s(n)|  <  c^w^^n, 
where  c^  is  a  constant  depending  only  on  the  formula  q,  and  k  is  the  number  of 
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free  variables  in  q. 

(b)  For  all  sequences  S*  =  (Sq,  Sj,  S2,  •••),  where  each  Sj  c  X*  is  Finite, 
there  is  a  sparse  set  Rq,S»  t  which  sets  q  for  S*  at  t.  Moreover, 

|Rq  (0  0  ),s(n)|  <  cqn  and  for  S*  «  *m,  |Rq>s*>s<n)|  <  cq(m+2)kn,  where  cq  and  k 

are  as  above. 

Proof.  Deferred  to  the  appendix. 

Note  that  from  Lemma  3(a)  it  already  follows  that  pq  is  not  equivalent 
to  any  quantifier-free  DDL  formula  q.  For  if  q  is  equivalent  to  pq,  then 
(I^.spj)  t=  q.  Let  w  €  X*-R  -  .  (such  a  w  exists  since  R  a  is  sparse).  Then 
by  Lemma  3(a),  Uw,Sg)  q.  But  Uw,sq)  N  “'Pq,  and  this  contradicts 
the  equivalence  of  q  and  Pq. 

Definition ■  For  a  quantifier-free  DDL  formula  q,  let  Rq  „  =  u§»€^  Rq  §* 
and  let  Rq  =  |w|  (w,i)  €  Rq  j^j. 


Lemma  4-  Rq  is  sparse. 


Proof  It  is  sufficient  to  find  a  polynomial  Fq  such  that  |Rq  n(n)|  <  Fq(n), 
since  clearly  |RJn)|  <  |R  (n)|.  We  will  do  this  for  the  case  that  the  free 

M  H»" 

variables  of  q  are  Xq,  Xj,  It  will  be  clear  that  the  proof  extends  to 
q's  with  arbitrarily  many  free  variables. 

Note  that  from  Lemma  1,  it  follows  that  since  the  free  variables  of 
q  are  xq,  xj,  and  X£,  Rq  5*  depends  only  on  Sq,  Sj,  and  S2.  That 
is,  given  another  sequence  T*  =  (Tq,Tj,T2,...),  if  Sj  =  Tj  for  i  =  0,1,2, 
then  Rrt  c*  *  =  R„  »  •  Thus  we  need  only  concern  ourselves  with 

**0  •  »*Q 

elements  of  #n  of  the  form  (Sq^j^,**,0*— ).  which  we  abbreviate  as  <So,SpS2). 
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Call  this  subset  ♦n(2). 

Define  an  equivalence  relation  on  #n(2)  via  (SqjSj^)  5  (Tq.Tj^)  iff 

R„  /c  c  c  w  =  R„  it  r  t  \  t  •  We  will  show  that  there  are  less  than 
q.laQ.Sj.^J.tQ  q^'O' 1 1' 1 2,*t0 

Gq(n)  equivalence  classes,  for  some  polynomial  Gq  depending  on  q.  Then  we  can 

take  F  (n)  to  be  c  (n*2)^nG_(n),  since  by  Lemma  3(b)  |R„/c  c  c  >,  I  <  c_(m2)^n 
q  q  q  1  1  q.vao.aji^btQ'  q 

for  (SjQ,S|,S2>  €  *n(2). 

We  now  proceed  to  count  equivalence  classes.  Note  that  (w,0,0)  £  (0,0,0) 


unless  (w,0)  €  Rq(0  0  0)  tQ-  Similarly  for  (0,w,0)  and  (0,0, w). 

Thus  there  are  at  most  l+ncq  equivalence  classes  of  the  form  (w,0,0), 
(0,w,0),  or  (0,0,w)  in  *n(2),  since  |Rq{jS0  ^)>t^(n)|  <  cqn  by  Lemma  3(b). 

Now  to  get  an  equivalence  class  of  the  form  (wj,w2,0)  distinct  from 
those  of  the  form  (w,0,0),  (0,w,0),  or  (0,0, w),  we  must  either  have 


(a)  <«,.»  «  0)  ^  and  (»j,2)  «  or 

(b)  (w2,2)  e  Rq.ia.a.o)^  nnd  («,.»  n  R,,(0,„2,0),v  or 

(c)  (w,,l).  (w2,2)  €  Rq(0|0(0,it^. 

Again,  since  |wj|,  (w^  <  n,  it  is  easy  to  check,  using  Lemma  3(b), 
that  there  <  c^m2)‘^a^  new  equivalence  classes  satisfying  each  of 
conditions  (a)  and  (b),  and  <  cqV  satisfying  condition  (c).  Thus  we 
get  (Xn5)  new  equivalences  classes  of  the  form  (wj,W2,0),  (wj^^),  or 
(0,Wj,W2)  for  wj,  W2  €  Z*(n).  A  similar  analysis  can  be  used  to  show  we 
get  CXn^)  new  equivalence  classes  of  the  form  (wpWj.wj).  Thus  we  get 
polynomially  many  equivalence  classes,  as  desired.  (Similar  arguments  show 
that  in  general,  the  polynomial  Gq  will  have  degree  CXk^),  where  k  is  the 
number  of  variables  in  q.)  I 


We  are  (finally!)  ready  to  prove  our  theorem.  The  proof  is  by 
contradiction.  Suppose  the  DDL  formula  q  is  equivalent  to  pQ.  By  Lemma  2  we 
can  assume  q  is  of  the  form  Qj*i  •Q)(*j(q’»  where  q'  is  a  quantifier-free 
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formula  of  DDL.  We  will  assume  for  ease  of  exposition  that  q  is  of  the  form 
Vxj3x2q\  where  the  free  variables  of  q'  are  xq,  xj,  and  X2,  but  it 
should  be  clear  that  the  proof  will  work  for  arbitrary  sequences  of  quantifiers 
and  for  a  q'  with  arbitrarily  many  free  variables. 

Choose  w  €  I*  -  Rq«  (we  can  do  this  since  R^*  is  sparse).  Then 
(I(0,w,w)*tO)  *  PO 

=>  N  q  (sin“  q  is  e<luiva,cnt  t0  P^ 

*  ^St.w.w)*^  *=  Vxl3x2q' 

*  V(w1,i1)3(w2,i2)(I(0>W)W),tofx1/(w1,i1),X2/(w2,i2)])  1=  q' 

*  Vwl3w2(I(0)w1\w,W2\w)>tO)  *=  q'  (this  fo,lows  from  Lcmma  U 

=>  Vwl3w2n(w,w1\w,W2\w)-tO)  N  q' 

(since  (tf.wjXw^Nw)  €  #^2)  and  w  i  R^-,  so  (w,0)  t  ^q',|wp 
=>  vwj3w2(Iw,s^xj/wj,X2/w2])  P  q'  (by  Lemma  1  again) 

=>  (I^Sq)  *=  v*i3*2q* 

=>  (IW,S{))  1=  q 

=>  (Iw,Sq)  *=  PO  *sinCC  q  ‘S  e<luiva,ent  t0  P(p- 

But  this  is  clearly  a  contradiction,  since  (Iw,Sq)  N  T q. 

This  completes  the  proof  of  the  theorem.  I 
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Appendix 

Proof  of  Lemma  3’- 

We  will  prove  part  (a).  The  proof  of  (b)  is  similar.  We  first  need  to 
simplify  the  form  of  quantifier-free  DDL  formulas. 

Definition:  We  call  a  quantifier-free  formula  elementary  if  it  is  of  the  form 
{aj}|...{a|(}|(pl  where  {}■  is  either  <>  or  []  and  p  is  either  P(x)  or  ~'P(x). 

Lemma--  Any  quantifier-free  DDL  formula  can  be  written  in  "disjunctive  normal 
form",  i.e.  as  a  disjunction  of  a  conjunction  of  elementary  formulas. 

Proof.  The  proof  is  by  induction  on  the  structure  of  formulas,  and  follows 
immediately  from  the  fact  that  for  DDL  programs  a, 

{aHpAq)  £  |a}p  A  {a}q  and 
{aKpVq)  5  |a|p  V  |a}q.  I 

It  clearly  suffices  to  prove  Lemma  3(a)  for  elementary  formulas,  since 
for  an  arbitrary  quantifier-free  DDL  formula  q,  we  can  take  g  s  =  ujRq.  g  s> 
where  the  qj  range  over  the  elementary  formulas  that  appear  in  the  "disjunctive 
normal  form"  of  the  previous  lemma. 

Now  the  truth  of  an  elementary  formula  q  =  {ajj...{am}p  with  free 
variables  c  in  (Ig,s)  depends  only  on  the  truth  values  of  P  at 

thosfr  values  in  Z*  assigned  to  as  we  run  the  program  aj;...;am 

starting  in  state  (Ig,s)  (remember  we  are  assuming  that  all  tests  are  of  the 
form  PUj)  or  -*P(xi)). 

Since  aj;...;am  is  a  regular  program,  it  can  be  represented  as  a 
finite  flowchart.  We  can  construct  a  finite  state  register  machine  with  an 
oracle  for  S  which  acts  as  an  interpreter  for  this  program.  The  number  of 
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states  in  the  machine  depends  only  on  and  hence  on  q.  The  machine 

will  have  k  registers,  one  for  each  of  the  variables  appearing  in  the  program. 

The  registers  are  initialized  to  sU|),...,s(x|().  In  what  follows,  we  will 
deliberately  confuse  xj  with  "the  contents  of  register  i". 

Claim  The  machine  only  consults  the  oracle  on  a  sparse  set  of  values. 

Once  we  prove  this  claim  we  are  done.  We  simply  take  this  sparse  set 
to  tv?  Rq  s  s  and  note  that  if  S'  is  any  set  with  S'  n  R^  s  =  S  H  Rq  g  g 
the  machine  with  oracle  S'  would  go  through  the  same  sequence  of  states  as  the 
one  with  oracle  S.  Thus  (Ig.s)  q  iff  (Ig*,s)  N  q.  (The  formal  proof 
of  this  last  statement  is  a  messy  but  straightforward  induction  on  the 
structure  of  q.) 

To  prove  the  claim,  we  first  define  an  equivalence  relation  on  tuples 
(w|,  ..,wk)  via  (W|,...,W|()  5  (u|,...U|j)  iff  Wj\S  =  Uj\S  for  i  =  l,...,k. 

Note  that  since  S  is  finite,  wj\S  =  *  for  all  but  finitely  many  w  €  2*,  so 
there  are  only  finitely  many  equivalence  classes.  Note  also  that  the  equivalence 
class  and  the  state  of  the  machine  completely  determine  the  sequence  of  basic 
instructions  (those  of  the  form  xj  =  Xj,  x^  ~  fixj),  or  Xj  ~  g(Xj)) 
performed  by  the  machine,  since  for  any  two  equivalent  tuples  the  oracle  for  S 
always  gives  the  same  answers  at  every  step  in  the  computation. 

Thus,  if  the  machine  does  not  halt  after  a  finite  number  of  steps, 
there  mast  be  two  distinct  times  in  its  computation  when  it  is  in  the  same 
state  and  the  contents  of  the  registers  are  in  the  same  equivalence  class. 

Hence,  if  the  machine  does  not  halt  after  a  finite  number  of  steps,  it  must 
repeat  the  same  sequence  of  basic  instructions  over  and  over  again;  i.e.  the 
instruction  sequence  is  of  the  form  a;bw,  where  a  and  b  are  sequences  of 
basic  instructions. 
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Suppose  the  contents  of  the  registers  at  some  point  in  time  are 
and  let  (x be  the  contents  of  the  registers  after 
we  run  bm  from  this  point.  It  is  easy  to  see  that  there  exists  jj  <  k  and 
Wj  €  r*  (which  depend  only  on  b)  such  that 

d  =  xPw;  for  i  = 

1  Ji 

Now  suppose  jj jjf  are  aH  distinct.  (The  argument  for  the 
general  case  is  similar.)  Then  it  is  easy  to  see  that  for  some  uj  €  {w|,...,wjc}*c-, 

j/p  =  j^uj,  and  thus 

^,h  =  ^Uj)h. 

If  we  let  yj,...,y^  be  the  contents  of  the  registers  at  all  times  as  we 
run  b^!  starting  from  (x$,...xP),  we  can  again  find  V|,...,vj^  €  Z*, 

<  k  such  that 

y{  =  x^  i  =  1,...,N. 

Thus,  at  any  time  as  we  run  bw  on  initial  input  (^....x^)  the  contents 
of  the  registers  c  {x® .(uj)^Vj|  i  =  1,...,N,  h  >  0).  Call  this  set  A. 

Note  that  for  any  n,  A  has  at  most  N  elements  of  length  n  (at  most  one  of  the 
form  x®  (uj)”vj  for  each  i  =  1,...,N).  If  we  let  B  =  {contests  of  the  registers  at 

all  times  as  we  run  a  on  input  (s(xq),...,s(x|())},  let  (^.....x^)  be  the 
contents  of  the  registers  after  running  program  a  on  input  (s(xq)i...,s(X|()), 
and  take  R„  c  =  A  U  B,  we  are  done. 

Note  that  N  <  the  number  of  steps  (assignments)  performed  by  b^'  =  k! 
x  (the  number  of  steps  performed  by  program  b),  while  |B|  <  the  number  of 
steps  performed  by  program  a.  Moreover,  the  number  of  steps  performed  by  a;b 
is  <  the  number  of  equivalence  classes.  If  S  =  0,  there  is  only  one 
equivalence  class,  and  if  S  =  {w},  there  ate  at  most  (|w|+2)k  equivalence 
classes  since  there  are  |wj*2  values  for  u\w.  These  observations  give  us  the 
second  half  of  Lemma  3(a).  ■ 
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